Anatomy of an Attack

Persistent Espionage Leverages Virtualization and Edge Infrastructure

Between August 2025 and January 2026, the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) released a series of advisories regarding Chinese state-sponsored espionage operations. Initial reports identified activities by the People’s Republic of China (PRC) threat actors across telecommunications, government, and transportation sectors. Technical analysis from CISA highlighted the BRICKSTORM backdoor. This tool facilitates persistence and command and control (C2) mainly within VMware vSphere virtualized environments.

Researchers have attributed the use of this malware to two China-nexus clusters tracked as UNC5221 (also known as UTA0178 and Red Dev 61) and WARP PANDA. While both groups utilize similar tools, it is not yet confirmed if they represent the same operational entity. Despite this ambiguity, they focus on compromising the core identity systems that manage access across an organization. Their goal is to transition from a single point of entry to gaining total control by stealing the "keys to the kingdom." For the remainder of this analysis, we will focus on the activities of UNC5221.

Identity as a Target

To achieve control, UNC5221 actors employ a coordinated strategy using BRICKSTEAL for access and BRICKSTORM for operational persistence. CISA incident data shows that on April 11, 2024, the actors first breached a web server in the organization’s DMZ using an existing web shell. From this foothold, they used stolen credentials to move laterally through the internal network and reach the VMware vCenter server.

At this hub, the actors installed BRICKSTEAL, which is a digital skimmer that captures administrative credentials in plain text during web logins. Once these keys to the kingdom are secured, the actors perform the manual task of cloning Domain Controller servers. Cloning is not a built-in feature of the malware itself but rather an action the actors take using their newly stolen administrative rights to copy entire password databases for offline analysis without alerting live monitoring tools.

To manage the stolen data and maintain their presence, the actors deploy BRICKSTORM. This tool functions as the campaign’s primary exfiltration and command and control engine. To hide its activity, BRICKSTORM obscures traffic by tunneling data through DNS over HTTPS (DOH) and WebSockets, allowing it to blend into legitimate web traffic and bypass traditional filters. This sophisticated tunnel ensures that whether the actors are moving laterally or exfiltrating large volumes of sensitive data, their movements remain nearly invisible to the operating system.

The Strategy of Invisibility

UNC5221 prioritizes stealth through a "Living off the Land" (LotL) approach, using built-in administrative tools rather than custom malware to ensure their activities appear legitimate. They frequently target edge infrastructure, such as routers and firewalls, where traditional Endpoint Detection and Response (EDR) agents do not operate. Findings from late 2025 indicate these groups exploited vulnerabilities in edge appliances from Ivanti, Citrix, and Fortinet. Once inside, they utilize kernel-mode rootkits to hide network connections from the underlying operating system.

BRICKSTORM has the ability to maintain persistence even if these LotL methods are disrupted. The malware features a self-monitoring function that automatically reinstalls or restarts the process if it is terminated by checking for specific environment variables BRICKSTORM sets. If it detects their removal or a process termination, it initiates an automatic recovery sequence to ensure the actor remains in the network.

Malware Persistence and Remediation

To evade remediation, BRICKSTORM identifies a backup copy of its executable hidden in a predefined system directory, often masquerading as a benign utility such as vmware-sphere or vnetd. BRICKSTORM will copy the benign utility file to a new location, modify the system PATH so the new instance takes precedence, and silently launch it with the necessary variables. This sophisticated self-watching logic means that simply rebooting a server or killing a process will not eliminate the threat.A full rebuild or deep forensic clean is required to ensure the foothold is removed.

ExtraHop addresses these identity-based threats by providing specialized visibility into the authentication services adversaries exploit. By decrypting Active Directory protocols, the RevealX platform unmasks hidden movements toward ADFS and other key identity stores that logs and traditional endpoint tools often miss.

Network Detection and Response: Closing the Visibility Gap

Traditional security tools such as firewalls and EDRs often struggle to counter the stealth and persistence of sophisticated actors like UNC5221. These tools frequently rely on logs or agents that adversaries can bypass or disable by operating within trusted virtualization layers. The ExtraHop RevealX Network Detection and Response (NDR) platform addresses these challenges by providing a real-time view of activity across the entire attack surface.

Continuous Network Visibility. RevealX passively monitors all network traffic and provides a real-time record of activity without requiring agents. This approach is essential for identifying UNC5221 activities on edge infrastructure (T1190), such as routers and firewalls, where EDR cannot be installed. By decrypting and decoding over 90+ protocols, the platform maintains visibility into malicious activity hidden within encrypted traffic.

Identifying Anomalous Behaviors. Because UNC5221 utilizes valid credentials (T1078) and administrative tools, detection requires the identification of subtle deviations from baseline behavior. RevealX utilizes machine learning to detect unusual authentication patterns and abnormal protocol usage even when valid credentials are used. This capability is critical for uncovering lateral movement (T1021) toward high-value targets like ADFS servers or password vaults.

Detecting Persistence and Command and Control. The platform identifies suspicious outbound connections that indicate command and control protocol tunneling (T1572) activity. This includes identifying covert communication channels that utilize DoH or WebSockets to blend in with legitimate web traffic. When BRICKSTORM attempts to reinstall or restart, the resulting network activity provides a clear signal of the intrusion.

Forensics and Response Integration. Continuous network recording allows security teams to trace the entire path of an attacker and determine the full scope of a compromise. RevealX integrates with SIEM and SOAR platforms to enrich alerts with network context, enabling teams to respond with greater speed and precision. This forensic record is vital for confirming whether data exfiltration (T1041) occurred and identifying exactly which systems were accessed during the breach.

UNC5221 TTPs and Detection Strategy

The BRICKSTORM backdoor is a known Indicator of Compromise (IOC). BRICKSTORM’s sophisticated behavior, such as C2 traffic concealed within DNS-over-HTTPS (DoH), requires advanced network analysis to identify. This table reflects only the techniques explicitly supported by the CISA Malware Analysis Report and joint advisories.

BRICKSTORM Indicators of Compromise (IOCs)

According to the December 19, 2025, CISA update, defenders should monitor for the following specific indicators:

Unauthorized DNS-over-HTTPS (DoH) Resolvers The malware frequently attempts to resolve its C2 infrastructure using the following public DoH endpoints:

• https[:]//1.1.1[.]1/dns-query (Cloudflare)
• https[:]//8.8.8[.]8/dns-query (Google)
• https[:]//9.9.9[.]9/dns-query (Quad9)

Malicious File Artifacts Recent samples identified by CISA include both Go-based and Rust-based versions often masquerading as legitimate system utilities:

• Common Filenames: pg_update, spclisten, or generic system-v looking service names.
• Persistence Method: Modification of systemd units or startup scripts to ensure the backdoor survives a reboot.

Recommended Detection Signatures CISA has released updated YARA and Sigma rules (specifically in MAR-2512217.c1.v2) that detect BRICKSTORM.

The Requirement for Network Visibility

Defending virtualized environments against UNC5221 requires visibility that goes beyond the capabilities of standard endpoint tools. These threat actors operate in the blind spots of the data center, specifically targeting virtualization management and edge appliances where security agents cannot run. Organizations cannot rely on local logs that attackers typically delete or modify. Defense requires inspecting the actual traffic moving between virtual machines and identity stores. Monitoring the network layer allows security teams to catch the subtle indicators of a BRICKSTORM tunnel regardless of how many self-healing tricks the malware uses on the server.

ExtraHop RevealX addresses these threats by providing clear visibility into the authentication services these adversaries exploit. By decrypting and analyzing Active Directory and ADFS protocols, RevealX exposes hidden movements that logs and endpoint tools miss. This transparency helps organizations spot an attacker trying to forge a digital entry pass or move towards a sensitive database. By using the network as the ultimate source of truth, RevealX helps to ensure that even if an adversary hides from the operating system, their lateral movement and data theft stay visible to the defenders.

Learn More About ExtraHop

The network usually tells the story that logs and endpoints often miss. If you want to see how this actually works in practice, or if you're just curious about how your own environment holds up, there are a few ways we can help:

• See it in action: We can jump on a quick call to show you exactly how RevealX picks up on the TTPs used by actors like UNC5221.
• Check your blind spots: We offer a simple network security assessment to help you find out if there’s activity moving sideways through your environment that your current tools aren't catching.
• Your experts speak with our experts: If you have specific questions about decryption or how to handle "Living off the Land" tactics, your team can spend time with ours.

Click HERE to schedule your time with us and learn more about ExtraHop NDR.